Integrate renovate bot for all dependency updates

[silverwind]

Replaces Dependabot with Renovate. The new setup:

• One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a 5-day release-age cooldown. Vulnerability PRs ship next-day via daily cron + Renovate's vulnerabilityAlerts schedule bypass.
• All uses: action refs SHA-pinned with patch-level version comments (same format as Pin all GitHub Actions to commit SHAs #36971, which this supersedes); helpers:pinGitHubActionDigests keeps future bumps in that format.
• renovatebot/github-action runtime image pinned via the upstream-recommended RENOVATE_VERSION env + magic comment + customManagers:githubActionsVersions preset, so Renovate keeps the pin updated.
• Custom regex manager tracks the *_PACKAGE ?= <import-path>@<version> lines in Makefile (golangci-lint, swagger, actionlint, etc.) and groups them into the same Go PR via matchDatasources: ["go"].
• Post-upgrade tasks regenerate assets/go-licenses.json (make tidy) and the SVG sprite (make svg), gated by an env-level command allowlist.
• Replaces the standalone cron-flake-updater workflow — Renovate's nix manager tracks flake.nix inputs and produces the same flake.lock bump PRs on the regular weekly schedule.
• npm and gomod-replace pins live in renovate.json5 only; updates@17.16.3 reads them from there too, so the standalone updates.config.ts is gone and one source of truth covers both tools.

Fixes: #33386

Admin steps before/after merge

Two prerequisites in the go-gitea/gitea repo:

1. Create the RENOVATE_TOKEN secret

• Use the existing @GiteaBot account so commits and PRs are authored under the project's established bot identity.
• Sign in as GiteaBot and mint a fine-grained PAT scoped to go-gitea/gitea only:
  • Repository permissions: Contents: Read and write, Pull requests: Read and write, Workflows: Read and write, Metadata: Read-only (auto-added). The Workflows permission is required so Renovate can update .github/workflows/*.yml via the github-actions manager — without it, action-bump PRs fail.
  • Expiration: as long as policy allows; calendar a renewal.
  • A classic PAT works too, but needs both repo AND workflow scopes; fine-grained is preferred.
• Confirm GiteaBot has write access on go-gitea/gitea (needed to push the renovate/* branches); add it as a collaborator if not already.
• Repo → Settings → Secrets and variables → Actions → New repository secret → name RENOVATE_TOKEN, value = the PAT.

2. (Recommended) Branch protection for renovate/**

• Repo → Settings → Rules → New ruleset → name "Restrict Renovate".
• Target branches: include renovate/**.
• Bypass list: add GiteaBot.
• Rules: enable "Restrict creations" only — prevents anyone other than GiteaBot from creating spoofed renovate/* branches. Do not enable "Restrict pushes": maintainers still need to be able to push fixups to existing Renovate PRs (conflict resolution, small tweaks before merge).

3. Verify

• Actions tab → cron-renovate → "Run workflow" to trigger manually instead of waiting for the next daily run.
• First run will open a "Configure Renovate" onboarding PR (one-time) and then the dependency dashboard issue. After the onboarding PR is closed/merged, regular update PRs start appearing.

No GitHub App registration, no private key handling — a single PAT secret is the only credential.

---

This PR was written with the help of Claude Opus 4.7

[TheFox0x7]

Alternatively we can run it in our CI directly, though it's also via app just not the mend one.
cc @techknowlogick per the discord talk few months ago

[silverwind]

Once this is merged, I think we could go ahead with #36971, renovate understand and can update the SHA format, so no manual updates needed.

[Copilot]

Pull request overview

This PR migrates GitHub Actions dependency update automation from Dependabot to Renovate by adding a Renovate configuration and a scheduled workflow, and removing the existing Dependabot configuration.

Changes:

• Add renovate.json to configure Renovate for github-actions updates with matching labels and a 5-day minimum release age.
• Add a scheduled GitHub Actions workflow to run Renovate using a GitHub App installation token.
• Remove .github/dependabot.yml to disable Dependabot updates.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
renovate.json	Introduces Renovate configuration to manage GitHub Actions updates with repo labels and release age delay.
.github/workflows/cron-renovate.yml	Adds a scheduled/manual workflow to run Renovate using a GitHub App token.
.github/dependabot.yml	Removes Dependabot configuration now superseded by Renovate.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[TheFox0x7]

Thanks for this in general :)
I wanted to do it for a while but I didn't feel like the correct person to set it up with all the secrets needed to have it.

this also closes: #33386

[silverwind]

Let's merge #37225 first and then we can use this PR to install a comprehensive renovate config that covers actions,go,npm,python deps.

Also I will then decided on which auth mechanism to use and after merge, a admin will need to install that auth.

[TheFox0x7]

Done from my side, unless we want to enable the dashboard. I find it useful as a general overview of what dependencies there are, but unpinned isn't very useful in the first place so... I'd like to see some others voice their opinions on it.

[silverwind]

I still think dashboard is mostly useless noise.

[bircni]

Let's start with the dashboard and if it bothers us we remove...

[bircni]

@TheFox0x7 can you approve

[silverwind]

Let's start with the dashboard and if it bothers us we remove...

Ok with me if we won't pin it, at least initially.

[TheFox0x7]

I don't get why you're so against the dashboard. It's a single issue which is more informative than looking at the job logs as to why the bot fails, groups items or misbehaves.

Especially since no one is making you looked at the pinned issues anyway and scrolling slightly down already happens if there's a release pending.

[silverwind]

I'm not against if it's helpful. I'm just annoyed when seeing a "Dependency dashboard" pinned issue on the issues list, I find it distracting when pinned. But I guess it's a minor issue, Gitea already has "Release" issues pinned regularily so at least it's not extra scroll distance.

I think I generally dislike any pinned issues unless they give substantial value for every reader.

[silverwind]

Dashboard is here: #37438

[silverwind]

Follow-up on the dashboard warning in #37438:

⚠️ WARN: Post-upgrade task did not match any on allowedCommands list

This comes from the Mend.io hosted Renovate also seeing the repo (note the "Mend.io Web Portal" link in the dashboard body). Its global allowedCommands doesn't include make tidy/make svg, so it warns and skips them. The self-hosted cron-renovate workflow added in this PR is the authoritative instance and runs them fine via RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS.

Suggestion: an admin should uninstall the Mend Renovate GitHub App from go-gitea/gitea (org → Settings → Installations). It's redundant with the self-hosted workflow, silences the warning, removes the duplicate dashboard, and avoids two bots racing on renovate/* branches.

---

Comment written by Claude Opus 4.7.

[silverwind]

@lunny please do the above

[TheFox0x7]

I don't get how this happened... what token was even added?

[silverwind]

Certainly odd, but at least I don't see duplicate dashboards:

https://github.com/go-gitea/gitea/issues?q=is%3Aissue%20state%3Aopen%20author%3Aapp%2Frenovate

I think app needs to be removed and then the self-hosted action will run tomorrow and do the onboarding issue as well as open a new dashboard issue.

[TheFox0x7]

this has yet to run, that's the reason why https://github.com/go-gitea/gitea/actions/workflows/cron-renovate.yml

[silverwind]

Yeah, app just needs to be removed and the wrong dashboard needs to be closed. then run the action manually once to get the onboarding which should then make the dashboard and start opening PRs for updates.